Sigstore signature verification in varyup, unified vulnerability scanning across all ecosystems, reproducible JARs, and five dependency upgrades including two CVE fixes. The compiler gained a review command, host-language leakage detection, canonical naming enforcement, and four project templates for vary new. The release pipeline added SLSA build provenance, automated artifact validation, content scanning, and Windows packaging support.
| Change | Description |
|---|---|
| Sigstore release signing | Release artifacts are now signed with Sigstore via cosign keyless signing. varyup verifies signatures on download using the cosign bundle format. Breaking: older varyup binaries that do not understand Sigstore bundles cannot verify new releases; upgrade varyup first. |
| Unified vulnerability scanning | New osv-scanner security gate covers Go, npm, and Java transitive dependencies in a single pass. Six Go vulnerabilities and one npm vulnerability fixed. |
| Pebble 4.1.1 upgrade | Upgraded Pebble template engine from 3.2.2 to 4.1.1 to fix an SSTI (server-side template injection) vulnerability. |
| Quarkus 3.34.2 upgrade | Upgraded Quarkus from 3.31.1 to 3.34.2. Fixed bean discovery changes in 3.34 and removed the netty dependency force-override. |
vary review command | New CLI command that produces a module review covering roles, test inventory, effects, contracts, trust gaps, and mutation guidance. |
vary new templates | Four project templates (cli, library, service-client, and serious) with agent selection and skill scaffolding. |
| Canonical naming enforcement | Compiler error for non-canonical names. PascalCase required for types, snake_case for everything else. |
| Property testing framework | Replay, corpus persistence, generators, and shrinking analysis for property-based tests using across. |
| SLSA build provenance | SLSA build provenance attestation for verifiable supply chain metadata on release artifacts. |
| Release artifact validation | Automated release asset validation and content scanning wired into the CI release pipeline. |
| VAST corpus protection | Acceptance-set corpus entries are now protected from nightly pruning to preserve historical evidence. |
| Result match codegen fix | Fixed missing CHECKCAST for enum error types in match arms over Result values. |
| Contract codegen fix | Fixed out contracts on Result and enum return types causing JVM VerifyError. |
| LSP import resolution fix | Fixed import resolution for nested project layouts so the language server finds modules correctly. |